[Samba] After upgrade to 4.9.4, internal DNS no longer working

Thu Dec 27 12:28:00 UTC 2018

Hi Louis,

Please keep in mind that this was just an incremental upgrade of an
otherwise working AD DC. Files such as /etc/hostname, /etc/nsswitch.conf
and /etc/resolv.conf were not affected by the upgrade. But yes, I double
checked, and they are all correct as I've shown in previous emails.

hostname is DC1, confirmed by hostnamectl, resolv.conf has just two
entries: nameserver (own IP), and search samdom.example.com. Same as it is
now, so this all works.

resolvectl is no longer showing anything because I disabled
systemd-resolved in the meantime. I don't think that was necessary but I
did it either way, just to be on the safe side. I'm actually pretty sure it
would have been sufficient to just set DNSStubListener=No in
/etc/systemd/resolved.conf.

As for managing the network, I'm using systemd-network and my network file
looks as follows (no changes in years):

[Match]
Name=br-lxc

[Network]
Address=192.168.1.1/24   <---- = DC1
DNS=192.168.1.1
IPForward=ipv4
Domains=samdom.example.com
Gateway=192.168.1.2   <------ = Router
UseDomains=yes

And yes, I agree, the Arch Wiki is great resource.

Cheers,
Viktor

On Thu, 27 Dec 2018 at 12:19, L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:

> Ps.
>
> I forgot, to ask.
> Which is used : systemd-networkd or NetworkManager?
>
> The why is shown here:
> https://wiki.archlinux.org/index.php/Systemd-resolved
>
> The wiki of arch is very good, i do use these these often. ( yes even for
> my debian servers ).
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Viktor Trojanovic via samba
> > Verzonden: donderdag 27 december 2018 11:58
> > Aan: Rowland Penny; samba at lists.samba.org
> > Onderwerp: Re: [Samba] After upgrade to 4.9.4, internal DNS
> > no longer working
> >
> > Hi Louis and Rowland,
> >
> > Thanks for all your input. In answer to your questions, yes,
> > all packages were upgraded to 4.9.4 so that was not the issue
> > – the error messages you’ve seen in this regard are from
> > during the upgrade. I can only guess that something was
> > removed too early. Also both hostname and resolv.conf were
> > set up correctly.  But these points seem moot now as I was
> > able to solve the issue.
> >
> > I didn’t touch the base system which was upgraded but I did
> > downgrade Samba and dependencies (samba, smbclient,
> > libwbclient) back to v4.7.4, I then just overwrote the Samba
> > folder (/var/lib/samba) which contains private and sysvol
> > with a recent backup – and everything works again. Users can
> > log in, GPOs are being distributed. I have not yet tried to
> > upgrade again, I’ll leave this for some other day.
> >
> > samba-tool dbcheck isn’t showing any errors. samba-tool ntacl
> > sysvolcheck does complain about an incorrect db acl on a gpo
> > directory so I ran sysvolreset. The error remains but doesn’t
> > seem to bother the AD otherwise. Still, to be safe, here is
> > the error:
> >
> > $ sudo samba-tool ntacl sysvolcheck
> > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> > exception - ProvisioningError: DB ACL on GPO directory
> > /var/lib/samba/sysvol/samdom.example.com/Policies/{31B2F340-01
> <http://samdom.example.com/Policies/%7B31B2F340-01>
> > 6D-11D2-945F-00C04FB984F9}
> > O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> > OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> > 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> > does not match expected value
> > O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> > OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> > 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> > from GPO object
> >   File
> > "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> > line 176, in _run
> >     return self.run(*args, **kwargs)
> >   File
> > "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> > line 270, in run
> >     lp)
> >   File
> > "/usr/lib/python2.7/site-packages/samba/provision/__init__.py"
> > , line 1723, in checksysvolacl
> >     direct_db_access)
> >   File
> > "/usr/lib/python2.7/site-packages/samba/provision/__init__.py"
> > , line 1674, in check_gpos_acl
> >     domainsid, direct_db_access)
> >   File
> > "/usr/lib/python2.7/site-packages/samba/provision/__init__.py"
> > , line 1621, in check_dir_acl
> >     raise ProvisioningError('%s ACL on GPO directory %s %s
> > does not match expected value %s from GPO object' %
> > (acl_type(direct_db_access), path, fsacl_sddl, acl))
> >
> > Any advice on how to take care of this error, or can this be
> > safely ignored?
> >
> > Thanks,
> > Viktor
> >
> >
> > From: Rowland Penny via samba
> > Sent: Donnerstag, 27. Dezember 2018 11:29
> > To: samba at lists.samba.org
> > Subject: Re: [Samba] After upgrade to 4.9.4, internal DNS no
> > longer working
> >
> > On Thu, 27 Dec 2018 11:07:08 +0100
> > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> >
> > > Gooood morning Rowland, :-)
> > >
> > > Your late ;-)..
> > > What i also did see, so its more clear for others also.
> > >
> > > > Dez 22 21:08:31 dc1 systemd[1]: Starting Samba AD Daemon...
> > > > Dez 22 21:08:31 dc1 kernel: audit: type=1131
> > > > audit(1545509311.984:52): pid=1 uid=0 auid=4294967295
> > > > ses=4294967295 msg='unit=samba comm="systemd"
> > > > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> > > > res=failed' Dez 22 21:08:32 dc1 samba[733]: root process[733]:
> > > > [2018/12/22
> > >
> > > This line:  exe="/usr/lib/systemd/systemd" hostname=? addr=?
> > > terminal=? res=failed'
> > >
> > > So incorrect hostname/resolving resulting in this problem.
> >
> > I actually think it could be a symptom and not the root cause. It
> > could be that two main things happened, systemd was upgraded and with
> > it 'resolved' was installed and smbclient wasn't upgraded.
> >
> > I think that if 'resolved' is removed and ALL Samba packages are
> > upgraded, he might get it to work again.
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba